Trying to enable TLS auth: "invalid certificate or no client certificate supplied"

[langston...@gmail.com]

I'm sure I'm doing something wrong here, but I can't figure out what it is. Would someone mind pointing it out to me? I'm trying to enable TLS auth.

Here are the commands I'm running with the output they're giving:

[centos@lb0-control-01 ~]$ vault auth --ca-cert=/etc/pki/CA/ca.cert xxxxxxx      
Successfully authenticated!
token: xxxxxxx
token_duration: 0
token_policies: [root]

[centos@lb0-control-01 ~]$ vault write --ca-cert=/etc/pki/CA/ca.cert auth/cert/certs/test display_name=test policies=root certificate=@/etc/pki/mantl/cert                                                        
Success! Data written to: auth/cert/certs/test

[centos@lb0-control-01 ~]$ vault auth -tls-skip-verify -method=cert -ca-cert=/etc/pki/CA/ca.cert -client-cert=/etc/pki/mantl/cert -client-key=/etc/pki/mantl/key              
Error making API request.

URL: PUT https://lb0-control-03.node.consul:8200/v1/auth/cert/login
Code: 400. Errors:

* invalid certificate or no client certificate supplied

[centos@lb0-control-01 ~]$ openssl verify -CAfile /etc/pki/CA/ca.cert /etc/pki/mantl/cert
/etc/pki/mantl/cert: OK

So, since the certificate is valid and was successfully written to the cert auth path, I'm confused about the code 400. Does anyone have insight?

In the end, I'd like to do all this via an Ansible playbook. Here's what I have so far on that front:

---
- name: authenticate with vault
  command: vault auth "{{ vault_command_options }}" "{{ vault_root_token }}"

- name: enable cert auth backend
  run_once: yes
  command: vault auth-enable "{{ vault_command_options }}" cert

- name: write host cert to authorized certificates
  command: >
    vault write "{{ vault_command_options }}"
    "auth/cert/certs/{{ inventory_hostname }}"
    "display_name={{ inventory_hostname }}"
    "certificate=@{{ host_cert }}"

# This one fails
- name: authenticate with vault using cert
  command: >
    vault auth "{{ vault_command_options }}"
    -method=cert
    -client-cert="{{ host_cert }}"
    -client-key="{{ host_key }}"

[Jeff Mitchell]

Hi Langston,

Can you provide the PEM of the public certificate? That would help to figure out what the issue might be.

Thanks,
Jeff

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/d45f76a4-3611-4eb2-9461-0e5b02af008c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[langston...@gmail.com]

Sure! Here it is:

[root@lb-mi-control-01 ~]# cat /etc/pki/mantl/cert  
-----BEGIN CERTIFICATE-----
MIIE6zCCA9OgAwIBAgIDEAABMA0GCSqGSIb3DQEBCwUAMIGlMQswCQYDVQQGEwJV
UzERMA8GA1UECBMITmV3IFlvcmsxEDAOBgNVBAcTB0FueXRvd24xHDAaBgNVBAoT
E0V4YW1wbGUgQ29tcGFueSBJbmMxEzARBgNVBAsTCk9wZXJhdGlvbnMxFzAVBgNV
BAMTDnNlY3VyaXR5LXNldHVwMSUwIwYJKoZIhvcNAQkBFhZvcGVyYXRpb25zQGV4
YW1wbGUuY29tMB4XDTE2MDYwMjE5NTkzOFoXDTE3MDYwMjE5NTkzOFowgZUxCzAJ
BgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEcMBoGA1UEChMTRXhhbXBsZSBD
b21wYW55IEluYzETMBEGA1UECxMKT3BlcmF0aW9uczEZMBcGA1UEAxMQbGItbWkt
Y29udHJvbC0wMTElMCMGCSqGSIb3DQEJARYWb3BlcmF0aW9uc0BleGFtcGxlLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKiJLin2yj67N/mR+DBO
qrw7bJFjrGHdLHTXY5KVRk1o8+GWdTNBJ76RwNOr2KVRUahPsUsjZww8/PXbiA/1
D+bgeXXkP3SqCXH2KKaEI7r0BFC/cpNgsGqhhjJBcEh+ZAt2fGi7M2FcAj1yIk3K
mAN7+9lZB4fjNZAQMwiuMRhT0g5pkrkL+PmDNN9lKB1+ZxfSqAed6XryRPE/bA7h
LypfKkHrK/9CvYNHKnlVXIZQCz+BMHc/sfWQrbdk/Vul/pBfaR62cnTFEX8ZWUV+
eLpSAnf6zr6f7fmtYjnd1FABU6fO1wwgkrR1+Jkar+PwkxWeUEbDipr86EefLET4
tGECAwEAAaOCATAwggEsMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAJ
BgNVHRMEAjAAMAsGA1UdDwQEAwIFoDAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFBW31Qc+LoAQ8tCxIAm+xBoY
rliMMB8GA1UdIwQYMBaAFKS2WdFFBvhbLO02HFhxSRz/fJXEMIGEBgNVHREEfTB7
gglsb2NhbGhvc3SCEGxiLW1pLWNvbnRyb2wtMDGCFWxiLW1pLWNvbnRyb2wtMDEu
bm9kZYIcbGItbWktY29udHJvbC0wMS5ub2RlLmNvbnN1bIIJKi5zZXJ2aWNlghAq
LnNlcnZpY2UuY29uc3VshwR/AAABhwSLO4yUMA0GCSqGSIb3DQEBCwUAA4IBAQBA
z5PQVm7sP7YBOXoNO2+P+dW2tYD9f1gjCSgO/c5p/M2TJI6GCJN9WQEJ3A83vtdL
AEOUfSLmw4yf9bp9njauL7E8+PKrrr1Ry5+5CewDuhRp/U6eT/wQWUJZd3lkt9TK
xEkAs+6FPxEUbK5Gyq9EndBLTTMfQHv561zknTmwmMW8MtS4KKUU3wnin60SPbJb
K7d3ymXCPY2zoUNkoMnz9B4neMihCOZuhYe718qS3CNAdDjI+XDpZpCppQO9Ri9R
5YQRgGbziEad20ohvf1S9t91r62et535J4/84d4FcixWtUyx0jGbA93A2Pyv439c
QQvmqvn43IemEmMrzYqh
-----END CERTIFICATE-----

And it's also attached.

[Jeff Mitchell]

Hi Langston,

Is this a recent version of Vault? Not all versions supported using
non-CA certificates for authentication.

Best,
Jeff

> https://groups.google.com/d/msgid/vault-tool/c79116b8-f7ca-4ad2-9e9c-887b0508cbb1%40googlegroups.com.

[Langston Barrett]

Jeff -

Unfortunately, no. It's vault-0.4.1. I'll try upgrading first, and
post my results here.

Thank you for your help!

[langston...@gmail.com]

Jeff -

After upgrading to 0.6, I've been able to get this working. Thanks as always for your help!

Best,
Langston